HackDig : Dig high-quality web security articles for hacker

Last week Google announced a significant change to the way they disclose vulnerabilities. In cases where a zero-day vulnerability has made it into the wild and is being actively exploited, Google will now give 7 days to the software vendor whose product is being exploited before "...support(ing) researchers (by) making details available so that users can take steps to protect themselves."

We hope that the details Google will make available do not include full disclosure or working proof of concept code. That being said, we agree that in cases where something is being actively exploited, something should be done. Demanding results from software vendors in 7 days can make it very difficult to foster a relationship of cooperation and get results; what happens when a small firm is the target of Google's research and a key developer is away on vacation? What if the exploit involves some legacy code that was created by an employee no longer with the company? 14 days seems like a much more reasonable number.

In any case, it's important to stress that working proof of concept should never be released.